Skillv1.0.0

ClawScan security

Plant Species Recognition Skill | 植物物种识别技能 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 10:24 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to be a plant-species recognizer, but the package contains unrelated face-analysis code, a large common library that reads/writes local config and a local SQLite DB, and it calls external APIs — these behaviors and artifacts don't fully match the stated minimal requirements and deserve review before use.
Guidance: What to check before installing or enabling this skill: - The package contains an unrelated face-analysis skill and a large shared library (skills/face_analysis and skills/smyx_common). If you only want plant recognition, ask the author why face/biometric code is bundled and whether a trimmed package exists. - Inspect RequestUtil (skills/smyx_common/scripts/util.py) and any http_post/http_get wrappers to see where images and metadata are sent (the repo contains prod base URLs like open.lifeemergence.com and other domains). If the skill uploads images or extracted data to external servers, confirm the destination, privacy policy, and whether you have permission to transmit those images. - The code reads/writes config.yaml files and will create a local SQLite database under the workspace/data directory. If you want to avoid local persistence, run the skill in a sandbox or deny write access and verify behavior. - SKILL.md forbids reading local 'memory' files, but the code can read environment variables (OPENCLAW_SENDER_OPEN_ID, FEISHU_OPEN_ID) and configuration files to obtain open-id/api-key values. Ensure these environment/config sources do not contain sensitive secrets you don't want the skill to read. - Because the repo includes heavy dependencies, if you choose to run it, install and execute in an isolated environment (container, VM) with network egress controls, so you can observe outbound traffic before allowing access to production systems or sensitive data. Concrete actions: 1) Review skills/smyx_common/scripts/util.py (RequestUtil) and skills/smyx_common/scripts/config.yaml to see endpoints and whether API keys are used. 2) Search the code for any hard-coded URLs or domain names, and verify where reportImageUrl or exported reports are hosted. 3) If you still want to use it, request an author-provided, minimal plant-only package or a written privacy/data-flow statement describing what is uploaded, stored, and persisted. Confidence note: I gave 'suspicious' with medium confidence because important helper code (util.py) was not fully shown; reviewing RequestUtil and the actual network call implementations would raise or lower confidence.

Review Dimensions

Purpose & Capability: concernThe skill is described as a plant species recognition tool, but the repository includes a complete face-analysis skill and a large shared 'smyx_common' library. Face-analysis code (biometric processing) and broad common utilities are not required to perform a single-image plant classifier and therefore are disproportionate to the stated purpose.
Instruction Scope: concernSKILL.md enforces strict rules (forbid reading local memory files, require cloud-only history queries, strict open-id retrieval flow). The code, however, will read and create config.yaml files (skills/smyx_common/scripts/config.yaml), set and read runtime environment values, and persist data via a local SQLite DB (skills/smyx_common/scripts/dao.py). The instructions also mandate saving uploaded attachments to a local attachments directory, implying on-disk persistence. These behaviors conflict with the 'do not read local memory' framing and expand scope beyond pure image classification.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing is automatically downloaded during installation. However, the repository includes a large requirements.txt in skills/smyx_common with many packages (including network-capable libraries). That indicates substantial runtime dependencies if the user or integrator installs them — more than what SKILL.md lists (requests only). This is a traceability/maintenance concern rather than an explicit remote-install risk in the manifest.
Credentials: concernSKILL.md declares no required env vars, but the code reads environment variables (OPENCLAW_WORKSPACE, OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID, etc.) and uses configuration files for API keys and base URLs. The skill will accept or derive an open-id from config files or environment and may use API keys found in configs. Reading/writing credential-like config fields and environment variables is disproportionate given the described single-service purpose and the SKILL.md's strict rules.
Persistence & Privilege: concernThe code will (a) create/read YAML config files under skills/* (YamlUtil.load auto-creates missing config files), (b) create a local SQLite DB under a workspace data directory, and (c) save uploaded attachments. The skill therefore gains persistent storage on disk and may store user identifiers/tokens and analysis records — a meaningful persistence footprint that is not obvious from the description.